I was told last week that David Litchfield had released two new papers, one of which is about SQL Injection. There are three main types of SQL Injection or rather ways to get the data back to the hacker after he has used a SQL injection attack. The first is in-band where the data is returned to the caller via the same query. An example would be a select statement where the hacker manages to add a union and select also the password hashes from the view DBA_USERS for instance. Then there is out of band where the same channel used to send and receive data via the SQL query being abused is not used. This is where a function such as UTL_HTTP or UTL_TCP can be used to send the data back to the hacker via another channel. The third method is inference where its not possible to get the data back through either the original channel or another alternate one. In this case the hacker can influence the database to give clues as to whether a piece of data is there or not or if it has a certain value or not. This can be as simple as causing the server to hang for 5 seconds if the data is there or no hang if not.
David's paper titled "Data-Mining With SQL Injection and Inference" is an excellent introduction to the subject with some great examples of taking the method further and not relying on the old method of adding time delays to infer a value or not. David also gives a good potted history of SQL Injection in this paper. It is well worth a read.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Some more posts on bugtraq about David Litchfields open letter to Oracle"] [Next entry: "WebGoat an application to learn how to hack!"]
October 2005
- The Six Dumbest Ideas in Computer Security - 10/01/2005 by 10/01/2005
- Good thread on Oracle brute force password cracking and OUG Scotland - 10/03/2005 by 10/03/2005
- OUG Scotland - 10/05/2005 by 10/05/2005
- Link to David Litchfields original post - 10/06/2005 by 10/06/2005
- Slight correction to the HTMLDB advisories - 10/07/2005 by 10/07/2005
- Some more posts on bugtraq about David Litchfields open letter to Oracle - 10/08/2005 by 10/08/2005
- WebGoat an application to learn how to hack! - 10/10/2005 by 10/10/2005
- Security, SOX and Oracle Incentive Compensation - 10/11/2005 by 10/11/2005
- The Age talks about David Litchfields open letter to Oracle - 10/12/2005 by 10/12/2005
- Prevention and detection better than cure - 10/13/2005 by 10/13/2005
- How to encrypt/decrypt strings with the dbms_obfuscation_toolkit package - 10/14/2005 by 10/14/2005
- comments and how to re-enable them on this blog - 10/16/2005 by 10/16/2005
- CPU October 18th a few comments - 10/18/2005 by 10/18/2005
- Women who know Oracle and security - 10/19/2005 by 10/19/2005
- Easy connect identifier - 10/20/2005 by 10/20/2005
- Researcher: Oracle Patch Set Flawed Again - 10/21/2005 by 10/21/2005
- Exploit circulating for newly patched Oracle bug - It can crash an unpatched database server - 10/22/2005 by 10/22/2005
- Some fight back on Oracle security bugs - old news article - 10/26/2005 by 10/26/2005
- Josh has released a paper about the Oracle password algorithm - 10/27/2005 by 10/27/2005
- Some news stories about the josh oracle password paper - 10/29/2005 by 10/29/2005
- UKOUG tomorrow - 10/30/2005 by 10/30/2005
Archives
Syndication
Powered by gm-rss 2.0.0
